On Tue, 2017-04-04 at 23:39 +0200, Niels Möller wrote:
> > "These variants
> > take advantage of a randomly choosen salt value, which could
> > enhance the
> > security by causing output to be different for equivalent inputs.
> >
> > However, assuming the same security level as inverting the
> > @acronym{RSA}
> > algorithm, a longer salt value does not always mean a better
> > security
> > @uref{http://www.iacr.org/archive/eurocrypt2002/23320268/coron.pdf}
> > .
> > The typical choices of the length are between 0 and the digest size
> > of
> > the underlying hash function."
>
> That's better, but still not crystal clear. In what scenarios does
> the salt provide additional security? If the attacker gets to see
> signatures but not the corresponding messages?
The salt is needed in the "tight" proof for RSA-PSS, that in the end
assures that if RSA-PSS is broken RSA is broken. As far as I understand
it is not tied to some concrete attack. The paper above ties that salt
size with the total number of signatures generated, and PKCS#1
transforms this to a "security level" question, by tying the salt size
to length of the selected hash.
regards,
Nikos
_______________________________________________
nettle-bugs mailing list
nettle-bugs@lists.lysator.liu.se
http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
